Avoiding worse PR
I guess someone read the coffee grounds and saw the Ghost of PR Past. Fear of bad press makes for good corporate decisions. Patch it if you can.
It’s that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003. Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious …
Yay; installing XP SP3 has completely knackered the PC's ability to support a USB keyboard or mouse. It now fails to boot to Windows (not even safe mode!) with either in place or reboots spontaneously if in XP and either is plugged in. Luckily this is a copy of the production one but FFS, it's really making my day. Thankfully I still have a PS2 keyboard in the cupboard (unused, box-fresh, Microsoft branded and in beige; hello 1998!) and can boot into it but what a PITA. Looks like the production version is getting the Terminal Services service disabled and SP3 ignored. Apologies to my forebears for being so rude about them. Try explaining to manufacturing why you're risking their infrastructure for a security update :-(
I'd be very leery of installing SP3 on a working machine tool coupled to a Win XP box.
All the windows powered machine tools we use have a warning on the manual saying
"Do not upgrade or install updates as your machine will not be covered by our warrenty/insurance." *
Plus we keep them on the machining network thats air gapped to the internet... so hopefully nowt nasty can get through
* Luckily , those last 2 win machines are going soon and will be replaced with spiffy linux powered ones to match the 14 we already have
I'm guessing that when Microsoft tightened up the security procedures in XP via SP3 that it broke something that worked insecurely....I do vaguely recall a scramble by various vendors to patch various stuff at the time....though my memory might be deviating?
Might just need the motherboard BIOS patched? (I recall a machine that had similar issues, a patch from the motherboard vendor resolved the issue)
Albeit the machinetool software likely isn't SP3 compliant for similar "creative programming" reasons
>It now fails to boot to Windows (not even safe mode!)
You did take a full disk image (eg. clonezilla) efore you started.
Suspect if only running SP2 then BIOS, chipset drivers and OS drivers needed updating before you attempted the update. Plus probably worth ensuring the system has 4GB of RAM.
If you still have XP machines that you can't get rid of, ideally you should just keep them off the network. Failing that, lock them down behind the tightest possible firewall (and I mean a separate firewall, don't rely on the XP one), only allowing traffic on the bare minimum of ports. Perhaps investigate if they can live on their own separate network, only connected to a second NIC on a more secure computer which is in turn connected to the wider network.
I believe the TeamViewer host maintains an outgoing connection to the TeamViewer servers to facilitate connections from behind a NAT router. So, unless there are additional considerations, you should be able to use a strict firewall that denies all connections coming from the internet and just allow connections initiated by the XP machine.
I *highly* recommend the Appliance iteration of vCenter, especially 6.5 and newer- as long as you have a functional DNS running in your network, it's easy enough to set up, and it has Update Manager baked into it, so you don't have to deploy a half-dozen machines to have a functional environment.
This seemed so serious I used the "may security only" may patch on my Windows 7. The fist in several months as I stopped at one of the previous patching debacles.
Before that I changed the registry settings not to get the new Intel patches (I do not deem them worth the expected hit on CPU speed). I also applied the "pciclearstalechache" file provided as a download next to the actual May patch. It is necessary if someone (wisely) skipped March and April.
"I noticed that the article doesn't mention Vista, is that because Vista is immune or just because even Microsoft don't want to admit they even made that OS any more?"
...Vista who?
Vista certainly isn't immune as everything from XP to 7 is vulnerable, including 2008 Server which uses the same codebase as Vista. From another website:
I'd just turn off the Remote Desktop in public networks if I was caught using Vista...
It would be interesting to know how many of the XP or Server 2003 boxes that are exposed to the internet are actually still configured for automatic updates. I suspect that those that aren't are "managed" by the sort of person who won't be manually updating them.
Agree, however, all the various XP boxes I encounter I have left set to check and download updates and inform user if they want them installed. This way XP security checker is happy and doesn't show red in the status bar - hence users don't have to ignore a red warning and thus get into the habit of ignoring warnings...
In the days of credential stuffing, byod, and every man and dog being allocated email irrespective of their actual role in the business, I don't think that merely having a VPN layer at the edge solves the problems. Even an internal only terminal services machine is at risk from a wormable exploit.
Seems to be a big focus on this vulnerability for XP/2003, it is also exploitable on W7/2008
Luckily there are still patching in place for W7/2008 so that can be easily deployed via WSUS / SCCM, it is nice of Microsoft to provide the patches for older OS as guaranteed some companies will still be using XP/2003 and RDP is usually enabled to allow remote management of the servers.
Along with the ZombieLoad issues this month, probably one of the worst months in recent memory for security issues.
>Seems to be a big focus on this vulnerability for XP/2003
Thats because all versions of XP are now EoL - unless you are paying MS for extended extended support.
Win7/2008 go end of life in January 2020, so will receive this patch via the normal security patch channel.
But you are right, in that the NHS demonstrated that WannaCry on Win7 was a bigger issue than WannaCry on XP.